Ignore NSEC records without RRSIG and NSEC present

dns_nsec_noexistnodata now checks that RRSIG and NSEC are present in the type map. Both types should be present in a correctly constructed NSEC record. This check is in addition to similar checks in resolver.c and validator.c.
2026-06-15 02:10:00 -04:00 · 2021-11-06 09:30:48 +11:00 · 2021-11-06 09:30:48 +11:00 · 4bdd5a9953
commit 4bdd5a9953
parent 8ff2c133b5
2 changed files with 18 additions and 0 deletions
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@ -328,6 +328,16 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
 	}
 	dns_rdataset_current(nsecset, &rdata);

+#ifdef notyet
+	if (!dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig) ||
+	    !dns_nsec_typepresent(&rdata, dns_rdatatype_nsec))
+	{
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			 "NSEC missing RRSIG and/or NSEC from type map");
+		return (ISC_R_IGNORE);
+	}
+#endif
+
 	(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
 	relation = dns_name_fullcompare(name, nsecname, &order, &olabels);

--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@ -10069,6 +10069,14 @@ query_coveringnsec(query_ctx_t *qctx) {
 		goto cleanup;
 	}

+	/*
+	 * If NSEC or RRSIG are missing from the type map
+	 * reject the NSEC RRset.
+	 */
+	if (!dns_nsec_requiredtypespresent(qctx->rdataset)) {
+		goto cleanup;
+	}
+
 	/*
 	 * Check that we have the correct NOQNAME NSEC record.
 	 */